Morehead Memorial Hospital takes the privacy and protection of personal information very seriously. We recently experienced a cybersecurity attack involving certain patient and employee data. It is important to us that we let affected individuals know about this incident so that they can take steps to protect themselves.

What Happened

An unauthorized party sent fraudulent communications to Morehead, enabling them to obtain login information that allowed access to two email accounts within the hospital. Promptly upon learning about these communications, steps were taken to address the incident. Our IT staff cut off access to the affected accounts, issued a network-wide password reset, and engaged top-tier forensic consultants to conduct a full investigation. We have contacted the FBI and the Department of Homeland Security and will cooperate with their investigation.

What Information Was Involved

The email accounts contained certain types of information about some former patients or employees, including health insurance payment summaries, treatment overviews, health plan information, and in limited cases, Social Security numbers.

Please be assured that at this time we are not aware of any fraud or misuse of information as a result of this incident.

What We Are Doing

To help prevent an attack like this from recurring, we are enhancing additional security measures to protect our systems, and we are providing additional training to our staff so that they are better prepared to identify potentially fraudulent communications. We have also created an internal web page to provide timely updates to employees as we become aware of phishing and email attacks.

What You Can Do

As a precaution, individuals can carefully check credit reports for accounts they did not open or for inquiries from creditors they did not initiate. If they see anything they do not understand, call the credit agency immediately. If they find any suspicious activity on their credit reports, call the local police or sheriff’s office to file a police report for identity theft and get a copy of it. Copies of the police reports are often requested by creditors.

Patients who have received medical services provided by Morehead, or individuals who are members or beneficiaries of the hospital’s group health plan, should regularly review their explanation of benefits (EOB) statements. If services listed on the EOB were not received by any plan member or beneficiary, immediately contact the health plan.

You will find additional information in the “Information About Identity Theft Protection” reference guide, available here. It describes further steps that individuals may take to help protect themselves, including recommendations by the Federal Trade Commission and the Department of Health and Human Services regarding identity theft protection and details about placing a fraud alert or a security freeze on credit files.

For More Information

For more information about this incident, please call 1-833-202-7408, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time. We have also provided a list of Frequently Asked Questions about this incident, available here. Your information is important to us, and we regret any concerns that this matter may cause.